In database applications, access control security layers are mostly developed from tools provided by vendors of database
management systems and deployed in the same servers
containing the data to be protected. This solution conveys several
drawbacks. Among them we emphasize: 1) if policies are
complex, their enforcement can lead to performance decay of
database servers; 2) when modifications in the established
policies implies modifications in the business logic (usually
deployed at the client-side), there is no other possibility than
modify the business logic in advance and, finally, 3) malicious
users can issue CRUD expressions systematically against the
DBMS expecting to identify any security gap. In order to
overcome these drawbacks, in this paper we propose an access
control stack characterized by: most of the mechanisms are
deployed at the client-side; whenever security policies evolve, the
security mechanisms are automatically updated at runtime and,
finally, client-side applications do not handle CRUD expressions
directly. We also present an implementation of the proposed
stack to prove its feasibility. This paper presents a new approach
to enforce access control in database applications, this way
expecting to contribute positively to the state of the art in the
field.